To: 


Of: 


İCO. 


Information Commissioner's Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


Saga Personal Finance Limited 


Enbrook Park, Sandgate, Folkestone, Kent CT20 3SE 


The Information Commissioner (“the Commissioner”) has decided to 
issue Saga Personal Finance Limited (“SPF”) with a monetary penalty 
under section 55A of the Data Protection Act 1998 (“DPA”). The penalty 
is in relation to a serious contravention of Regulation 22 of the Privacy 
and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner’s decision. 


Legal framework 


SPF, whose registered office is given above (Companies House 
Registration Number: 03023493) is the organisation stated in this 
notice to have instigated the transmission of unsolicited 
communications by means of electronic mail to individual subscribers 


for the purposes of direct marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 
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"(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 122(5) of the DPA 2018 defines direct marketing as “the 
communication (by whatever means) of advertising material which is 
directed to particular individuals”. This definition also applies for the 


purposes of PECR (see regulation 2(2) PECR; and Schedule 19, 
paragraph 430 and 432(6) DPA18). 


Prior to 29 March 2019, the European Directive 95/46/EC defined 
‘consent’ as “any freely given specific and informed indication of his 
wishes by which the data subject signifies his agreement to personal 


data relating to him being processed". 


Consent in PECR is now defined, from 29 March 2019, by reference to 
the concept of consent in Regulation 2016/679 (“the GDPR”): 
regulation 8(2) of the Data Protection, Privacy and Electronic 
Communications (Amendments etc) (EU Exit) Regulations 2019. Article 
4(11) of the GDPR sets out the following definition: “‘consent’ of the 
data subject means any freely given, specific, informed and 
unambiguous indication of the data subject's wishes by which he or 
she, by a statement or by a clear affirmative action, signifies 


agreement to the processing of personal data relating to him or her". 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals". 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 


communications network which can be stored in the network or in the 


11. 


12. 


13. 


Information Commissioner's Office 


recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 


PECR, as variously amended) states: 


"(1) The Commissioner may serve a person with a monetary penalty if 
the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 
(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that 


the contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 


PECR were enacted to protect the individual’s fundamental right to 
privacy in the electronic communications sector. PECR were 


subsequently amended and strengthened. The Commissioner will 


14. 


15. 


16. 


17. 


18. 


© 
1C O e 
Information Commissioner's Office 
interpret PECR in a way which is consistent with the Regulations’ 


overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of that Act). 


Background to the case 


SPF came to the attention of the ICO following several complaints 
regarding unsolicited email marketing, between the periods of 
September 2018 and March 2019. The emails stated that they were 
sent on behalf of SPF by an affiliated company, which has since been 
identified as MM (referred to throughout the investigation as a 


“Partner”). 
SPF is a subsidiary of Saga Group Limited (“Saga Group”). 


An initial investigation letter setting out the Commissioner’s concerns 
was sent to Saga Group on 10 April 2019. This letter detailed the PECR 
regulations and requested information including details of Saga Group’s 
Partners/Affiliates, websites from which consent for marketing was 
obtained together with evidence of that consent, and a description of 
any due diligence carried out with respect to the data used by Saga 
Group. Included with the letter was a spreadsheet detailing the 


complaints which had been received by the Commissioner. 


On 10 May 2019 a response was received from Saga Group which 


clarified that the marketing material sent to the complainants was sent 
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by two Partners on behalf of SPF, and on behalf of another subsidiary 


of Saga Group. 


The first of these Partners was confirmed to be HE, with the 
second being identified as i (‘GEE’) (collectively 
referred to hereafter as the “Partners”). It was confirmed that the 
Partners would send marketing on behalf of SPF using a database of 
individuals who had opted in to receiving marketing materials from 
third parties either via the Partners’ websites or via websites operated 
by their sub-contractors (“Affiliates”). Marketing emails would be sent 
to individuals either by the Partners or by the Affiliates. Saga Group 
stated that “/t/he arrangements with [the Partners] are on the basis 
that they send out marketing emails in respect of SPF [...] products as 
instigators”. It was confirmed that SPF paid their Partners based on 
the number of leads generated from the marketing, rather than the 
number of emails sent, and as such the volume of emails sent, and the 
targeting of those emails and the recipients, is “under the control of 
the Partners”. It was confirmed that SPF would create the content of 
the direct marketing emails, although it was suggested that this was 
because some of that content would be subject to regulation by the 
Financial Conduct Authority (“FCA”). It was also confirmed that since 
no personal data was being transferred from SPF as part of the 
arrangement with the Partners, it was determined that no Data 


Protection Impact Assessment (“DPIA”) was required. 


The response confirmed that the contracts with the Partners include 
provisions which “...acknowledge that they and their Affiliates instigate 
the sending of the marketing emails and require [the Partners] and 
their Affiliates to be responsible for obtaining and ensuring that all 
necessary consents are in place for the purposes of data protection 
laws (including PECR)". 
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It was also confirmed that in Summer 2018, SPF received 7 complaints 
regarding affiliate marketing emails carried out by the Partners and 
their Affiliates on its behalf. A review was carried out and all affiliate 
marketing was temporarily suspended. This review considered again 
whether SPF might be regarding as an instigator of the direct 
marketing carried out by the Partners/Affiliates; it was determined that 
it would not, and that the Partners/Affiliates remained the instigators of 


the direct marketing. 


On 17 May 2019 the Commissioner asked Saga Group to provide a 
breakdown of the volumes of emails sent on SPF’s behalf by the 
Partners/Affiliates. A response was provided on 24 May 2019, which 
provided the information requested which SPF had requested from its 
Partners, who had in turn requested such information from its 
Affiliates. 


On 20 June 2019 the Commissioner requested details of the volume of 
‘delivered’ emails sent by the Partners/Affiliates. The response provided 
on 5 July 2019 was able to provide this information for one of the 
Partners (“J”) and their Affiliates, but not for the second. 


The Commissioner was able to see that 720,000 emails had been sent 
from (MM directly on behalf of SPF. Upon further investigation it was 
confirmed that jj relied on consents obtained through the ‘ial 
D website ( i). This website did not give 
subscribers an option to provide consent, rather it collected its data 
through: (2) a, 
(>) a [EE] 2ocd/or (c) the “Edited 


Electoral Register and from customer satisfaction and lifestyle surveys, 
mail order, purchase/warranty card responses, and offers and 


competition websites”. 
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The Commissioner calculated that from the evidence provided by Saga 
Group, HM sent a total of 2,745,777 emails on behalf of SPF over the 
period of 14 December 2018 to 2 May 2019, of which 2,714,872 were 


confirmed as being successfully delivered to recipients. 


Saga Group were unable to confirm how many of the emails sent by 
BE and its Affiliates on SPF’s behalf were delivered successfully, 
however it is known that a total of 28,676,526 emails were sent 
between 29 November 2018 and 2 May 2019. 


The Commissioner conducted a review of each of the sites used by the 


Partners and their Affiliates. 


In terms of J and its Affiliates: 


The consent statement ofe, trading as |’, does not 
specify that the subscriber will receive marketing from SPF. Further, 


the site’s privacy policy provides a link for the subscriber to view BEEE 
E third party ‘offers and promotions’, however SPF are not 
specified. 


The consent statements ofe NY, trading asc, do 


not appear to allow the subscriber to select how they wish to receive 
marketing and from whom. The site’s privacy policy provides a link for 
the subscriber to view iY two client lists, however SPF are not 
specified. 


E trading asc’, does not allow the subscriber 


to select how they wish to receive marketing and from whom. The 
consent statement does not specify that subscriber’s details will be 


passed onto third party companies. The site’s privacy policy provides a 
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link for the subscriber to view iY two client lists, however SPF 


are not specified. 


‘Te | trading as N, asks the subscriber 


to sign up to a newsletter for ‘FREE news and money-saving offers for 
mobiles, energy, broadband, credit cards and more...’. The 
subscription page does not state that the subscriber will receive 
marketing from third party companies by signing up to the newsletter. 
ee Privacy policy lists sectors from which the third- 
party companies operate. The privacy policy does list some third-party 


companies, but SPF are not specified. 


‘TE |, trading ascii, allows the subscriber to 
specify how they wish to be contacted, but does not specify the third- 


party companies that may send marketing material. There is a link 
which allows the subscriber to view a list of iy 
“partners”, however the link leads to the company’s privacy policy, 
which only list the sectors in which the company operate. SPF are not 


stated specifically in i consent statement nor in their 
privacy policy. 


‘Eee another Affiliate of HJ, owns and operates 
seven trading sites, these are: |, Ti, 
E a 2 
GM. The consent statements and privacy policies for these sites are 
all the same. The consent statements used for these sites allow the 
subscriber to specify how they wish to be contacted but does not 
specify the third-party companies that may send marketing material. 
The privacy policy does not identify any third-party companies and 
instead lists 48 different sections in which the third-party companies 


may operate. SPF are not stated specifically in the consent statement 
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nor in the privacy policy. It is noted that the consent statements ask 
the subscriber to select their three preferred areas of marketing, 


however selection of three preferences appears to be mandatory before 


entry to the site is allowed. 
In terms of IJ and its Affiliates: 


E Owns and operates two websites, which they use to obtain 
individual subscriber details. JJ use these details to send marketing 
material on behalf of SPF. One of these sites is p ’. 
On this site, the user can select the means by which they are 
contacted, but they are not informed of who they will receive direct 
marketing from. The privacy policy offers a list of sectors from which 
the third parties operate and specifies a small number of companies, 


however SPF are not included. 


The other site owned and operated by i is M 
Similarly to `, the user can select how they wish 


to be contacted but are not informed of who they will receive direct 
marketing from. The privacy policy offers a list of sectors from which 
the third parties operate and specifies a small number of companies, 


however SPF are not included. 


GB also obtain leads through their affiliate companies. One of which 
iS@’, who own and operate three sites: E ‘HE 
E and a. A! three of these sites are trading 


names ofe. The consent statements and privacy policies for 
these sites are all the same. The consent statements state that data 
will be shared with {J and gives the subscriber the opportunity to 
select how they wish to be contacted. The subscriber does not have the 
opportunity to select who they wish to receive communications from 


and are not able to select which marketing they wish to receive from 
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WM. The privacy policies provide a list of sectors from which the 


subscriber may receive marketing from. SPF is not stated specifically in 
E consent statement nor in their privacy policy. 


Another affiliate used by J is GJ, trading as | 
E.On this site the user can select how they wish to be 
contacted but are not informed of who they will receive marketing 
from. Signing up to receive marketing from J and their partners 
appears to be a precondition for signing up to the website. SPF are not 


stated specifically in MM consent statement nor in their privacy 
policy. 


HE also source subscriber details through ‘xx, 
trading as ‘MM’. Their site allows the user to sign up to EEEE 


MM newsletter to receive offers. The user can select their preferred 
method of contact but cannot specify who they wish to be contacted 
by. A link to view the third-party companies is available, but SPF are 
not specified. Instead, the subscriber is provided with a list of over 50 


sectors from which the third parties operate. 


D lso obtain consent fordii through their website 
D. The consent for this site is specific as the user has the 
option to select how they wish to receive marketing and from whom, 
however neither SPF nor {J are stated in their list of “partners”. The 
site’s privacy policy also provides an extensive list of third-party 
companies, however SPF and (J are not stated. The privacy policy 
further lists an extensive list of sectors from which the third-party 


companies operate. SPF are not stated specifically in xy 
consent statement or privacy policy. 


An end of investigation letter was sent to Saga Group on 5 September 
2019. 
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The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by SPF and, if so, whether the 


conditions of section 55A DPA are satisfied. 

The contravention 

The Commissioner finds that SPF contravened regulation 22 of PECR. 
The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 14 December 2018 and 2 May 
2019 there were 2,745,777 direct marketing emails sent to subscribers 
on behalf of SPF by its Partner I, and IJ Affiliates. Of those, it 
has been confirmed that 2,714,872 direct marketing emails were 


received by subscribers. 


Furthermore, between 29 November 2018 and 2 May 2019 there were 
28,676,526 direct marketing emails sent to subscribers on behalf of 
SPF by its Partner i, and NM Affiliates. SPF was unable to 
confirm how many of those direct marketing emails were received, 
however its Partner J estimated that between 2 - 10% of ‘sent’ 
messages could be expected to be ‘undelivered’. The Commissioner 
therefore believes it is reasonable to suggest that 25,808,873 (i.e., 
90% of the total number of messages sent by J and its Affiliates) 


could be expected to have been received by subscribers. 


The Commissioner finds that SPF instigated the transmission of the 


direct marketing messages sent, contrary to regulation 22 of PECR. 
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SPF, as the instigator of the direct marketing, is required to ensure that 
it is acting in compliance with the requirements of regulation 22 of 
PECR, and to ensure that valid consent to send those messages had 


been acquired. 


During this investigation it has been proposed that the 
Partners/Affiliates would be the instigators of the direct marketing 
rather than SPF itself. The Commissioner does not agree with this 
interpretation of the situation. Whilst the Partners/Affiliates clearly 
‘sent’ the direct marketing communications under contract, those 
communications included content drafted by SPF. Without SPF’s 
involvement and positive encouragement, those communications would 


not have been sent. 


In any event, even if SPF were to maintain that its partners were the 
instigators of this direct marketing, it is clear that the legislation is 
worded in such a way that regulation 22 PECR is capable of covering 
more than one person/organisation involved in either the transmission 


or the instigation of that transmission. 


It is noted that SPF relied on ‘indirect consent’ for its direct marketing, 
i.e., where the intended recipient had told one organisation that he/she 
consents to receiving marketing from other organisations. The 
Commissioner’s direct marketing guidance says “organisations need to 
be aware that indirect consent will not be enough for texts, emails or 
automated calls. This is because the rules on electronic marketing are 


stricter, to reflect the more intrusive nature of electronic messages.” 


However, it does go on to say that indirect consent may be valid, but 
only if it is clear and specific enough. Consent is not likely to be valid 
where an individual is presented with a long, seemingly exhaustive list 


of categories of organisations; indeed, under the GDPR this 
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requirement goes further and states that even precisely named 


categories of third parties will not be acceptable. 


Furthermore, for consent to be valid it is required to be “freely given”, 
by which it follows that if consent to marketing is a condition of 
subscribing to a service, the organisation will have to demonstrate how 


the consent can be said to have been given freely. 


Consent is also required to be “specific” as to the type of marketing 
communication to be received, and the organisation, or specific type of 


organisation, that will be sending it. 


Consent will not be “informed” if individuals do not understand what 
they are consenting to. Organisations should therefore always ensure 
that the language used is clear, easy to understand, and not hidden 
away in a privacy policy or small print. Consent will not be valid if 
individuals are asked to agree to receive marketing from “similar 
organisations”, “partners”, “selected third parties” or other similar 


generic description. 


The Commissioner is therefore satisfied from the evidence she has 
seen that SPF did not have the necessary valid consent for the 


28,523,745 direct marketing messages received by subscribers. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 
Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 
above was serious. This is because between 29 November 2018 and 2 
May 2019, a confirmed total of 28,523,745 unsolicited direct marketing 
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messages were received by subscribers, having been sent at the 


instigation of SPF. These messages contained direct marketing 


material for which subscribers had not provided valid consent. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 


The Commissioner has considered whether the contravention identified 


above was deliberate. 


The Commissioner considers that SPF did not deliberately contravene 
regulation 22 of PECR. 


Further and in the alternative, the Commissioner has gone on to 
consider whether the contravention identified above was negligent. 


This consideration comprises two elements: 


Firstly, she has considered whether SPF knew or ought reasonably to 
have known that there was a risk that these contraventions would 


occur. She is satisfied that this condition is met. 


The Commissioner has published detailed guidance for those carrying 
out direct marketing explaining their legal obligations under PECR. 

This guidance gives clear advice regarding the requirements of consent 
for direct marketing and explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by email, by post, or by fax. In particular it states that organisations 


can generally only send, or instigate, marketing emails to individuals if 
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that person has specifically consented to receiving them; and highlights 


the difficulties of relying on indirect consent for email marketing. 


SPF are registered with the ICO, and therefore ought to have been 
aware of their responsibilities under the data protection legislation. It is 
also reasonable to expect that organisations which are involved in 
direct marketing make sure that they have taken practical steps to 
understand the regulations, embedding this into their marketing 
processes. Indeed, The Commissioner believes that SPF were aware 
specifically of its obligations under PECR as evidenced by an early 
response to the Commissioner’s investigation correspondence which 
stated: 


“The arrangements with Partners and Affiliates is kept under review as 
we are keen to ensure that all marketing relating to Saga is compliant 


with data protection laws, including PECR”. 


It is therefore reasonable to suppose that SPF should have been aware 


of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether SPF 
failed to take reasonable steps to prevent the contraventions. Again, 


she is satisfied that this condition is met. 


SPF signed a contract with its Partners, declaring that the Partners 
themselves were the instigators of the marketing. PECR compliance 
was assumed incorrectly to be the responsibility of the Partners, and as 


such, minimal due diligence was conducted by SPF. 


SPF did take action to prevent further complaints in 2018, by 

temporarily suspending all affiliate marketing whilst an internal review 

was conducted. Some enhanced due diligence and controls were 

subsequently implemented by SPF, however these were insufficient. 
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SPF continued to fail to identify that the consent statements were not 
specific enough in identifying SPF as the organisation about which 
direct marketing would be received, and the direct marketing was 


recommenced on the mistaken basis that the Partners were the 


instigators. 


In the circumstances, the Commissioner is satisfied that SPF failed to 


take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner's decision to issue a monetary penalty 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. She is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out her preliminary thinking. In reaching her final 
view, the Commissioner has taken into account the representations 


made by SPF on this matter. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 
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The Commissioner has considered the likely impact of a monetary 
penalty on SPF. She has decided on the information that is available to 


her, that SPF has access to sufficient financial resources to pay the 


proposed monetary penalty without causing undue financial hardship. 


The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited marketing emails is a matter of significant public concern. A 
monetary penalty in this case should act as a general encouragement 
towards compliance with the law, or at least as a deterrent against 
non-compliance, on the part of all persons running businesses currently 
engaging in these practices. The issuing of a monetary penalty will 
reinforce the need for businesses to ensure that they are only 


messaging those who specifically consent to receive marketing. 


these reasons, the Commissioner has decided to issue a monetary 


penalty in this case 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £75,000 (seventy-five thousand 
pounds) is reasonable and proportionate given the particular facts of 


the case and the underlying objective in imposing the penalty. 
Conclusion, 


The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 12 October 2021 at the latest. The 
monetary penalty is not kept by the Commissioner but will be paid into 
the Consolidated Fund which is the Government’s general bank account 
at the Bank of England. 
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If the Commissioner receives full payment of the monetary penalty by 
11 October 2021 the Commissioner will reduce the monetary penalty 
by 20% to £60,000 (sixty thousand pounds). However, you should 
be aware that the early payment discount is not available if you decide 


to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 
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88. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 


an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 13t day of September 2021 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that she ought to have exercised 


her discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state: - 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you, 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5. Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 
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